Skip to content

Javascript deobfuscation: 591 Rental Website

Jcomp
· 4 min read
Automation
JavaScript deobfuscation
Live Demo View Source
Screenshot of the Twitch Streaming Recorder Chrome extension feature.

As web security mechanisms evolve, modern platforms increasingly rely on sophisticated JavaScript obfuscation and dynamic request signing to protect their data. This article explores a case study of the 2025 update of the 591 Rental Website, analyzing its encryption patterns and deobfuscation techniques.

Introduction to the Research Project

The 591 Scraper Research Project is a technical byproduct aimed at exploring and restoring the code obfuscation and data encryption technologies used by modern high-traffic websites. By analyzing the 2025 version of the 591 Rental platform, we can better understand how front-end security layers attempt to prevent automated data collection and unauthorized API access.

The project provides restored source code and an interactive demonstration page integrated into a “Playground,” allowing researchers to verify the logic behind request signing and parameter encryption.

The Anatomy of Modern Obfuscation

When examining the 591 website’s source code, we encounter several layers of protection designed to frustrate static analysis:

  • Identifier Renaming: Meaningful function and variable names are replaced with hexadecimal strings (e.g., _0x5a2f) to hide their purpose.
  • Control Flow Flattening: The program’s logical flow is obscured by wrapping code blocks inside complex loops and conditional switch statements, making it difficult to follow the execution path linearly.
  • Dynamic String Decryption: String constants, such as API endpoints and cryptographic keys, are not stored in plain text but are decrypted at runtime using a specific lookup table.

Simulating Encrypted Network Requests

To successfully interact with the bff-business API, a request must include a valid sign, a device identifier, and a strictly validated timestamp. Below is a demonstration of how these headers are structured in a Node.js environment using the axios library:

const axios = require('axios');

/**
 * Example Request for Property List
 * Note: The 'sign' is generated dynamically based on the URL parameters.
 */
const url = 'https://bff-business.591.com.tw/v2/web/business/list?type=1®ionid=1×tamp=1777986368673';

const headers = {
  "device": "pc",
  "sign": "5f0d51314182149441296e23b4d7f0e040d9c79f7ee6c727812e2f25e842a83f6a4122594fcf286b3aa687a524fd526334952ff448",
  "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
};

async function fetchProperties() {
    try {
        const response = await axios.get(url, { headers });
        console.log("Data retrieved successfully:", response.data);
    } catch (error) {
        console.error("Request failed with error:", error.message);
    }
}

fetchProperties();

Parameter Mapping and Filtering Logic

A crucial part of the deobfuscation process is mapping how user-selected filters are converted into API parameters. Our research covers several key segments:

Property Categories

The system distinguishes between various transaction types including Rentals, Sales, and Business Transfers. Specific property categories include:

  • Residential: Whole Floors, Independent Studios, Shared Suites.
  • Commercial: Storefronts, Offices, Factories, Land.
  • Other: Parking Spaces, Mixed-use (Office/Residential).

Geographical Distribution

The API handles regional IDs representing Northern, Central, Southern, and Eastern Taiwan. Specific administrative areas like Taipei City, New Taipei, Taoyuan, and Hsinchu are mapped to internal integer IDs which must be accurately hashed into the signature.

The Deobfuscation Workflow

Restoring the logic requires a multi-step workflow:

  • AST Parsing: Converting the obfuscated code into an Abstract Syntax Tree.
  • Constant Folding: Resolving static expressions and string lookups to make the code readable.
  • Logic Extraction: Isolating the cryptographic functions (likely a variation of MD5 or HMAC) used to generate the sign header.

Conclusion

The 591 rental website case study provides an excellent look into the current state of front-end security in 2025. By applying reverse engineering and deobfuscation techniques, developers and researchers can gain insights into the complex interactions between client-side scripts and server-side validation.

Disclaimer

This project is intended for Academic Research and Technical Exchange purposes only. Do not use the findings for any illegal activities or to violate the terms of service of the website. All information is derived from publicly available web resources. The author assumes no responsibility for any consequences arising from the use of this project.